An article on Google's grandly-named European Public Policy Blog, which offers "Google's views on government, policy and politics in Europe", has gently announced what the search-and-advertising behemoth calls A new option for location-based services.

The idea is simple. Google's many StreetView cars and bicycles spend their time driving around our suburbs, snapping a continuous stream of photographs of houses, gardens, offices, parks - whatever they pass on their all-encompassing journeys.

Whilst they're about it, the StreetView vehicles also make digital recordings in other parts of the electromagnetic spectrum - to wit, they sniff out WiFi access points and record their identification information and location.

Most access points spend long periods of time with the same MAC address and network name, and in the same place. So, a list of the access points currently within range of your laptop or mobile phone lets Google make a pretty good guess at your current location.

This obviates the need for GPS - which is slow to lock when you first power it up, drains your battery if you leave it running, and doesn't work well indoors.

Google's outward-facing explanation of the benefit of its massive WiFi database is that it represents value to you - it helps you find out where you are. Sadly, most of the time you already know where you are. You're at home, or in the office, or stuck yet again in a traffic jam on Parramatta Road on your way to work. Or from it.

The inward-facing explanation, of course, is that it represents value to Google - it helps Google know where you are. And that's good for targeted advertising, and that's great for business.

Anyway, after pressure from various privacy-minded data protection authorities in Europe, Google has changed its stance on its WiFi location database. You will soon be able to opt out, Google says, from being a part of the access point service.

The details of how this will work have not yet been released. How you will opt out has not been explained. And calling it "opting out" when you didn't opt in in the first place is a little cheeky.

It doesn't even sound from the blog article as though Google intends to remove your access point data from its database if you opt out. The lawyerly prose in the article simply says that if you opt out, "[Google's] services will not use that access point to determine users' locations."

(Actually, this is a Catch-22. Google pretty much has to keep you on file, simply in order to know that you didn't want to be on file in the first place. Otherwise they'd just add you back in next time the StreetView WiFi scanner came round - and then you'd have to opt out again. Sadly, you can't opt out of the StreetView collection process proactively.)

Nevertheless, this is an interesting change because it shows that, with enough pressure, even data-accumulation juggernauts like Google can be persuaded to change their ways.

In short: if big companies are doing things online with your data which you aren't happy with, don't just keep quiet. Write to your Privacy Commissioner. You can make a difference!

6 Responses to Google relents, offers "WiFi sniffing" opt-out

Perhaps, we should know What data Google has about us. If the data still remains with Google, the "Opt out" is not really a Opt out. Google should let us know what data they have. We have rights to know what data they have about us.

Of course, those with the technical wherewithal to know how to opt out are likely to be those whose Wi-Fi routers already use WPA2-PSK encryption and probably don't broadcast their SSIDs. Never mind that the approximate location of many Wi-Fi routers could probably be determined through GeoIP or even reverse DNS - the DNS name for many ISP routers includes clues as to its location.

Then there's the fact that many Wi-Fi routers are operated by commercial entities - and those offering free Wi-Fi to customers are likely to broadcast their SSID and possibly even have relatively weak encryption.

google offers me to optout, so they do not to sniff my wi-fi? this is laughable. Google is laughable. WPA2 with TKIP authentication and crazy 63 random characters randon nightmare jibberish as passphrase. sniff on that google! Google reject, discard and destroys any encrypted traffic they cannot decrypt. everyone just encrypt your access point or router wi-fi, with wpa2 and tkip, and you have opted out yourself from google sniff, for real, for sure, regardless of what google has to say about it. This is how you will FORCE google not to sniff on you, because whatever they get it will be pseudorandom noise, and they will not be able to make any sense out of it. If they see on regular basis that your traffic is encrypted they will give up on you, this is how you will get rid of them, and force them to stay out of your traffic, regardless of everything, or what they have to say.

WPA2-PSK isnt secure enough anymore anyway. Although it stops basic passers by like Google. Someone with a bit of technical knowledge will probably know how to use their GPU and CPU together to make Wi-Fi hacking a 63 random character WPA2-PSK key get broken in under an hour.

This was demonstrated at Black Hat and I tried it out at home, its scary.

This isn't Googles only tricks. I read their new privacy policy about a year ago - then opted out of everything possible, use Bing instead, quitted chrome and went back to IE9 becuase its the only browser that allows me to block any google stuff on any site optionally. Google is just a database of everyones lives and hobbies, im glad that my info will be outdated now

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog